[wp-meta] [Making WordPress.org] #5937: Extend the possibility for leaving a plugin or theme review

Making WordPress.org noreply at wordpress.org
Tue Oct 26 10:58:04 UTC 2021 

#5937: Extend the possibility for leaving a plugin or theme review
-------------------------+--------------------
 Reporter:  Clorith      |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:
Component:  General      |   Keywords:
-------------------------+--------------------
 **Disclaimer: This is for sharing an extended idea, and is not an absolute
 solution, or implementation guide.**

 Now that we've got the formalities out of the way, currently to write a
 review for a plugin or theme on WordPress.org, you need to create an
 account, this is fine, but since WordPress.org does not have SSO (Single
 Sign On), it means users need ''yet'' another account, this is a barrier
 for many.

 With the addition of Application Passwords, we could investigate other
 avenues to help plugin and them e authors encourage reviewing their
 solutions, there are pros and cons to this of course, which I'll get back
 to shortly.

 If an anonymous user goes to write a review, ask them for their WordPress
 website URL as well. When the review is submitted, it would then be
 possible to validate their site, _and_ that they have the plugin or theme
 installed before leaving a review. After the validation is done, the token
 should be removed from WordPress.org, as there's no scenario where we
 would want to sit on the potential access to who knows how many sites.

 One drawback is that anyone leaving a negative review is unlikely to have
 the plugin or theme still installed, I think the contrast could be drawn
 that they'd then not have a problem making an account to share their
 disapproval in the first place.

 Alternatively, the app password request could be used to authenticate
 against a website, grab their account e-mail, and use it as an avenue to
 create (and approve) their account with WordPress.org in as smooth a
 transition as possible.

 Regardless of approaches, it would need to pass through abuse detection of
 some form, like anything else, what options do we have to prevent abuse
 here? Anyone can spin up a WordPress site fairly easily these days, what
 potential abuse do we envision, and how do we work against each of these?

 This could be used to signup under temporary emails we would normally
 filter out.
 Any normal signup flow precautions should be applied like before

 Someone could spam reviews for plugins or themes via single use sites.
 Should we detect high activity on plugin or theme reviews/forums in the
 first place to trigger a "slow down" or similar for ensuring nobody is
 being targeted? (probably a different ticket, but a potential fix)

 Those were two quick thoughts to get the discussion rolling.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/5937>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list